---
title: "Chrome 150 Patches 382 Security Fixes, 15 Critical"
date: 2026-07-01
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/07/chrome-update-fixes-382-vulnerabilities.jpg"
categories:
  - name: "Technology"
    url: "/technology.md"
tags:
  - name: "News"
    url: "/tag/news.md"
---

# Chrome 150 Patches 382 Security Fixes, 15 Critical

Google promoted Chrome 150 to the stable channel on June 30, 2026, for Windows, Mac and Linux, according to Google’s Chrome team, an update carrying 382 security fixes, including 15 Critical-severity vulnerabilities.

## Quick Summary – TLDR:

- Google shipped Chrome build 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux on June 30, 2026.
- The release patches 382 security fixes, including 15 Critical-severity CVEs tracked as CVE-2026-13774 through CVE-2026-13788.
- Use-after-free flaws make up most of the Critical-severity bugs, spread across Extensions, GPU, Browser, Bluetooth, WebUSB, Views, Chromoting, and Ozone components, plus type confusion and validation failures.
- Researcher bounties for High-severity bugs ranged from $2,000 to $36,000. Bounty payouts like these sit inside the wider picture of paid security research work.
- Many bugs surfaced through AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and fuzzing tools.

## What Happened?

Google’s Chrome team announced the rollout of Chrome 150 to the stable channel in a stable channel update post, noting the update “**will roll out over the coming days/weeks.**” The desktop build lands as **150.0.7871.46/.47** for Windows and Mac and 150.0.7871.46 for Linux. Chrome’s position in [Web Browser Usage](https://sqmagazine.co.uk/web-browser-usage-statistics/) helps explain why a Critical bug in the world’s most-used browser carries outsized reach across Windows, Mac, and Linux desktops alike.

382 security fixes shipped in a single release, **15** of them rated Critical. Google assigns Critical severity to bugs that could let an attacker execute arbitrary code outside the browser’s sandbox, the highest tier on its rating scale. A count that large reflects bounty, and audit reports accumulated over weeks, not a sudden spike in new bugs, and 15 Critical bugs concentrated in hardware and extension-facing components.

The 15 Critical CVEs run consecutively from **CVE-2026-13774** through **CVE-2026-13788** and are primarily use-after-free vulnerabilities, alongside type confusion and validation failures across various subsystems. A use-after-free bug happens when code keeps a pointer to memory that has already been freed; if an attacker controls what gets written into that freed memory before the pointer is used again, the result can be code execution.

> Google Chrome Releases: Stable Channel Update for Desktop<https://t.co/ITytxvdz5a>
> 
> — Chrome Releases Blog (@\_ChromeReleases) [June 30, 2026](https://x.com/_ChromeReleases/status/2072091625166151796?ref_src=twsrc%5Etfw)

 ## Which components were affected?

According to Google’s advisory, the **Extensions, GPU, Browser, Bluetooth, WebUSB, Views, Chromoting, and Ozone** components contain the Critical severity vulnerabilities addressed in this update. The vulnerabilities affecting Bluetooth and WebUSB are particularly notable because these components manage direct communication with hardware devices. As browsers continue exposing more device APIs to web pages, these interfaces have come under increasing industry scrutiny.

Extensions, Bluetooth, and WebUSB also share an important characteristic. They process input that originates outside Chromium’s trust boundary before it reaches the sandboxed renderer. This often involves code that manages object lifecycles across asynchronous callbacks, a programming pattern that is difficult to detect through static code analysis and has historically been prone to memory safety issues.

Several High severity vulnerabilities included in this release earned researchers bug bounty rewards ranging from **$2,000 to $36,000**. Google operates [Chrome’s bug bounty program](https://sqmagazine.co.uk/google-ai-bug-bounty-program/) to reward independent security researchers who responsibly disclose vulnerabilities before they can be exploited by attackers. The wide payout range reflects the varying severity and exploitability of the reported issues. Chrome’s reward structure is not fixed and instead scales based on factors such as exploit reachability and potential impact, with lower rewards typically assigned to simple memory corruption bugs and higher rewards reserved for issues such as sandbox escapes.

Google also noted that many of the vulnerabilities fixed in this update were identified through automated security tools, including **AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and fuzzing techniques**.

These tools instrument Chromium’s C++ code to detect memory safety errors during testing and have become a key part of Google’s defense strategy against use after free vulnerabilities. This class of memory safety bug accounts for many of the Critical issues addressed in the update and continues to rank among the most frequently exploited categories of software vulnerabilities.

## How to update Chrome now?

Chrome typically checks for updates automatically, but the patch does not apply until the browser restarts. Users can force the check by opening `**chrome://settings/help**`, which downloads the update immediately if one is pending and prompts for a restart.

On Windows and Mac, the version number to look for is **150.0.7871.46** (or 150.0.7871.47); on [Linux](https://sqmagazine.co.uk/linux-statistics/), 150.0.7871.46. Enterprise IT teams pushing Chrome via managed policy should confirm their fleet reflects the same build number before treating the rollout as complete, since Google’s own post notes the release “**will roll out over the coming days/weeks**” rather than all at once.

Patching a Critical use-after-free bug helps reduce the risk of remote code execution through a malicious web page, but it does not guarantee immunity from every browser exploit chain. Layered defenses, including sandboxing, site isolation, and OS-level protections, still matter.

Delaying the restart leaves the previous build’s known Critical flaws exposed, which is the practical reason security teams treat “**update available**” notices as more urgent than they look. That habit lines up with broader threat data on patch behavior, which consistently ties faster patch cycles to lower breach rates.

## SQ Magazine’s Takeaway

The presence of 15 Critical CVEs among 382 fixes in a single stable Chrome release highlights a persistent challenge for Chromium’s security team. Most of these Critical flaws are use after free vulnerabilities concentrated in the Extensions, Bluetooth, and WebUSB components, underscoring that memory safety remains one of Chromium’s most difficult problems despite extensive use of fuzzing and code sanitization tools throughout the development pipeline.

For everyday users, the takeaway is straightforward: this is not an update to postpone. A Critical use after free vulnerability in the Bluetooth or WebUSB stack could potentially allow a crafted web page or a malicious hardware device to achieve arbitrary code execution on a vulnerable system. Because Chrome’s security fixes only take effect after the browser is restarted, users should visit **chrome://settings/help** to confirm they are running the latest version and then restart the browser. Completing those steps takes less than a minute and significantly reduces the window of exposure.